Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

While internet of things devices are often small embedded systems, IoT and the cloud are heavily co-mingled, as IoT devices make use of cloud services.

"Whether we are talking about voice-controlled assistants or talking Barbies, these all interact with services in the cloud," Brian Russell, chairman of the IoT Working Group at CSA and chief engineer, Cyber Security Solutions, Leidos, told eWEEK. "CSA has well-defined cloud security guidelines, with the Cloud Controls Matrix (CCM) and other guidance, but we realized that if the IoT products themselves are not secure, then there will continue to be compromises."

Further reading

Russell noted that the IoT can be thought of as a "system-of-systems," with many components working together to enable a service. In such a scenario, the system is only as secure as the weakest link.

"Unfortunately, IoT product vendors are often challenged in their ability to secure their products given they haven't been exposed to the need for security engineering in the past," Russell said.

Adding to the lack of vendor experience with security is a lack of skilled security engineers available to assist IoT vendors. Russell added that developers need a set of best practices to consider within their product development lifecycle, which is where the new CSA guidance is aiming to help fill the gap.

As part of the report, the CSA has outlined a secure IoT development methodology that will look somewhat familiar to engineers that have worked on cloud and mobile security in recent years.

"IoT security will have some similarities [to] and lessons learned from the adoption of cloud and mobile devices," John Yeoh, senior research analyst at CSA, told eWEEK.

Although there are many similarities with existing areas of security controls, IoT does introduce new areas of concern, for example, the need to understand the role that hardware plays in securing the device or exposing the device to vulnerabilities, Russell said. IoT is also a bit different from some other areas of technology in that it often aims for autonomous interactions between different types of products.

"This means that developers need to be aware of the other types of products or services that their devices may eventually interact with—and think through the potential security ramifications," Russell said. "For example, an automobile manufacturer may not have planned for an insurance company to build a dongle that connects to the OBD-II port and connects via Satcom or cellular."

A core element of the CSA IoT security approach is a safety impact assessment for a given IoT device to fully understand potential risks. Russell explained that the security impact assessment would need to answer several critical questions that would help expose the true risk.

The four key questions of such a safety impact assessment for IoT include the following:

Given the intended use of the product, is there anything harmful that could occur if the product stopped working as intended or stopped working completely?

Are there any safety-critical services or other products that rely on the functioning of this product?

If a device is compromised, are there any physical effects that could occur downstream from bad data coming from the device?

For safety-critical devices, what would happen if an attacker disabled the built-in safety features?

While IoT vendors have work to do in securing devices, users also have a role to play. Yeoh commented that password security is definitely mentioned in the CSA IoT paper. The use of default passwords is something in which the manufacturer can assist, but the reuse of passwords is something the user has control over, he explained.

"In addition to password protection, over-privileged access of the devices and the applications interacting with devices is something users can control," Yeoh said. "These devices and interfaces shouldn't have privileges and capabilities beyond their intended or defined roles."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter@TechJournalist.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.